Banner1.jpg

IDPC (Malta) - CDP/COMP/332/2024

From GDPRhub
IDPC - CDP/COMP/332/2024
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 5(1)(a) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 22.07.2024
Decided: 14.01.2025
Published: 17.01.2025
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/COMP/332/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: ao

The DPA reprimanded a bank for failing to explain why it didn’t provide a complete copy of personal data after a data subject’s access request. Further, the DPA ordered the bank to provide additional documents in a redacted format.

English Summary

Facts

On the 22 July 2024, the data subject lodged a complaint with the Maltese DPA (Office of the Information and Data Protection Commissioner – IDPC) alleging that a bank, here the controller, had failed to handle their data access request under Article 15 GDPR.

The data subject had requested full access, including internal emails exchanged among employees and any other documents or briefs written about him. The data subject had lodged the access request on the 3 June 2024 to which the controller responded on the 28 June 2024 with a supply of documents relating to the data subject. However, the requested internal email and documents in connection with a certain case which had been ruled on by the Arbiter for Financial Services, was not included. The data subject reiterated his request.

The controller then cited Article 15(4) GDPR and professional and bank secrecy as the reason to refuse sharing internal communications. Article 15(4) GDPR stipulates that the information provided under Article 15 GDPR musn't "adversely affect the rights and freedoms of others". The data subject clarified that his request related specifically to his personal data, did not contain any third-party data and therefore the bank secrecy should not apply to it. To this, the controller responded that all the personal data relevant had already been provided and that no further data existed.

In the complaint to the DPA, the data subject highlighted that this communication with the controller highlights a contradiction as initially the controller recognized there was more information to be provided but is prohibited by the bank secrecy law but then in the next step claimed that no additional data existed.

Throughout the course of the investigation, the controller submitted that several bank employees and their data were involved in the investigation of the case concerning the data subject and that this prohibited it from supplying the data.

Holding

Primarily, the DPA highlighted that the controller had failed to mention the bank secrecy in its first response to the data subject. The DPA demonstrated that it was only due to the data subject’s further inquiries that they found out the reason for the limitation. It therefore concluded that the reply lacked the necessary requirements under Article 15 GDPR.

The DPA stated that the controller had not complied with the requirements under Article 5(1)(a) GDPR as the data subject was not made to understand how his data was being processed.

Making use of its investigative powers under Article 58(1)(e) GDPR, the DPA had requested the relevant internal communications. It concluded that some but not all of the communications included personal data of the data subject under Article 4(1) GDPR. The DPA ordered the controller to explain how the rights of others could be affected under Article 15(4) GDPR if the communications were provided. The DPA stated that under Article 5(2) GDPR the controller is obliged to show that it performed a proper assessment of these conflicts.

The DPA further held that the requested communications were subject to the bank secrecy but at the same time contained personal data which were processed within the context of a complaint with the Arbiter for Financial Services which had already been concluded. The DPA therefore declared that the controller should not have refused the disclosure of personal data outright. Instead it should have redacted information relating to third parties. The DPA held that this would balance both parties rights. Therefore, the controller was held to have infringed Article 15(3) GDPR.

The DPA issued a reprimand under Article 58(2)(b) GDPR and under Article 58(2)(c) GDPR order the controller to supply the relevant information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.